In late 2023, genetic testing company 23andMe admitted that its customer data was leaked online. A company representative told us back then that the bad actors were able to access the DNA Relatives profile information of roughly 5.5 million customers and the Family Tree profile information of 1.4 million DNA Relative participants. Now, the company has revealed more details about the incident in a legal filing, where it said that the hackers started breaking into customer accounts in late April 2023. The bad actors’ activities went on for months and lasted until September 2023 before the company finally found out about the security breach.
23andMe’s filing contains the letters it sent customers who were affected by the incident. In the letters, the company explained that the attackers used a technique called credential stuffing, which entailed using previously compromised login credentials to access customer accounts through its website. The company didn’t notice anything wrong until after a user posted a sample of the stolen data on the 23andMe subreddit in October. As TechCrunch notes, hackers had already advertised that stolen data on a hacker forum a few months before that in August, but 23andMe didn’t catch wind of that post. The stolen information included customer names, birth dates, ancestry and health-related data.
23andMe advised affected users to change their passwords after disclosing the data breach. But before sending out letters to customers, the company changed the language in its terms of service that reportedly made it harder for people affected by the incident to join forces and legally go after the company.